Home Depot: US credit card firms slow to upgrade security

ATLANTA (AP) — Visa and MasterCard are using security measures prone to fraud, putting retailers and customers at risk of thieves, The Home Depot Inc. says in a new federal lawsuit.

It's the latest large retailer to raise the security concerns, with a lawsuit filed this week in U.S. District Court in Atlanta. Last month, Arkansas-based Wal-Mart Stores Inc. sued Visa Inc. over similar issues.

Atlanta-based Home Depot says new payment cards with "chip" technology remain less secure in the U.S. than cards used in Europe and elsewhere in the world.

Even with chips, U.S. cards still rely on customers' hand-written signatures for verification, rather than more secure Personal Identification Numbers, or PINs, Home Depot maintains.

A Mastercard spokesman said the chips boost security.

"Regardless of how the cardholder's identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions," MasterCard spokesman Seth Eisen said in a statement Wednesday.

MasterCard received the court filing Tuesday and is still reviewing it, Eisen said.

"We are aware of the complaint and will respond in due course," a Visa spokeswoman said in a statement Wednesday.

A central issue in Home Depot's lawsuit: Its accusation that Visa and MasterCard are conspiring to prevent adoption of more secure technology in order to maintain market dominance and profits.

"For years, Visa and MasterCard have been more concerned with protecting their own inflated profits and their dominant market positions than with the security of payment cards used by American consumers and the health of the United States economy," Home Depot states in its 138-page lawsuit.

About 80 nations use cards with chips, and most of them — including England, France and Australia — also require a PIN, Home Depot said.

"Such cards offer an extra layer of security beyond the chip itself, by requiring the user to enter a four-digit PIN, thereby ensuring that the individual using the card is the card's owner," Home Depot states in its lawsuit. "Signatures can be copied or forged, and cashiers are not handwriting experts trained to identify forged signatures."

As a result, U.S. consumers and merchants such as Home Depot pay fraud-related costs that are "unrivaled in the rest of the industrial world."

A chip in combination with a PIN is a form of "two-factor authentication," said Craig Piercy, director of the online master of internet technology program at the University of Georgia's Terry College of Business.

"It basically means that you have something with you — usually a physical thing — and something that you know. Both together are required to authenticate a user."

If a card is stolen, even one with a microchip, a thief could still use it by inserting it into the card reader, then scribbling the name on the card on a receipt or pad near a cash register.

But if the thief doesn't know the PIN, the card is rejected.

"Neither one protects against all types of fraud, but in terms of protecting against lost or stolen cards, chip and PIN is more secure," Piercy said.

Home Depot was targeted in a wave of data heists that began with Target's pre-Christmas 2013 attack. Home Depot's 2014 data breach at stores in the U.S. and Canada affected 56 million debit and credit cards, far more than the attack on Target customers. Hackers also stole 53 million email addresses from Home Depot customers.

Home Depot pushed hard to activate chip-enabled checkout terminals at all of its stores after the 2014 attack.

While common in Europe and outside of the U.S. for more than a decade, chip cards have only recently started seeing broader acceptance in the U.S.

Cards with chips, which issue a one-time code each time a transaction is processed, are far more secure than the 1960s-era magnetic stripe technology that many cards still rely upon.

But the roll out has not been as smooth as banks and credit card companies had hoped. Due to the cost of upgrading their equipment to accept the new chip cards, many merchants have not yet done so.

Even with chip technology, the lack of PIN requirements in the U.S. could lead to rising fraud in the future, as more transactions shift online where no physical card is presented, Home Depot said its lawsuit.

Last month, Wal-Mart said in a lawsuit that Visa won't allow it to let customers verify chip-enabled debit card transactions with PINs rather than the less-secure signature method.

"PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers," a Wal-Mart spokesman said after its lawsuit was filed last month in the New York State Supreme Court.

___

Associated Press writers Anne D'Innocenzio and Ken Sweet in New York contributed to this report.